The AI landscape doesn't move in one direction — it lurches. Some techniques leap from experiment to table stakes in a single quarter; others stall against regulatory walls, technical ceilings, or organisational inertia that no amount of hype can dislodge. Knowing which is which is the hard part. The State of Play cuts through the noise with a rigorously maintained index of AI techniques across every major business domain — classified by maturity, evidenced by real-world adoption, and updated daily so you always know where you stand relative to the field. Stop guessing. Start knowing.
A daily newsletter distilling the past two weeks of movement in a domain or two — delivered to your inbox while the index updates in the background.
Each dot marks the weighted maturity of practices within a domain — hover for a brief summary, click for more detail
Development of organisational policies governing acceptable use of AI tools and systems by employees and contractors. Includes policy template development and use case approval frameworks; distinct from AI regulatory compliance which targets external rather than internal governance.
AI acceptable use policy development has crossed from experimental into proven territory. The practice — defining what employees and contractors may and may not do with AI tools — now has GA tooling, international standards (ISO 42001), dedicated vendor platforms, and regulatory mandates in multiple jurisdictions. The question facing most organisations is no longer whether to create an AUP but how to make one that actually works in practice. That distinction matters, because a persistent governance-to-deployment gap defines the field: organisations adopt AI far faster than they operationalise the policies meant to govern it. Gartner projects 80% of organisations will have formalised AI policies by the end of 2026, yet surveys consistently show fewer than half back those policies with functioning risk frameworks or enforcement mechanisms. May 2026 evidence sharpens this paradox: 87% of large enterprises have formal AUPs in place, but only 22% say those policies work effectively in practice, with 20% reporting significant gaps between policy intent and execution. The structural challenge has shifted from policy creation to policy integration — standalone AUPs designed for ChatGPT-era tools are becoming obsolete as AI embeds into enterprise platforms. Organisations that treat AUP development as a one-time compliance exercise rather than a continuous governance function risk both regulatory exposure and unchecked shadow AI use.
U.S. state AI laws that took effect on 1 January 2026 — California's Transparency in Frontier AI Act, Texas's Responsible AI Governance Act, and Illinois employment-discrimination rules — have turned AUP development from a best-practice recommendation into a compliance obligation for many organisations. Regulatory fragmentation is now acute: legislators have introduced over 2,182 AI-related bills across all 50 states with inconsistent definitions, audit timelines, and enforcement mechanisms, forcing organisations building AUPs to navigate conflicting requirements and plan for regulatory fluidity. The EU AI Act timeline, accelerating toward August 2026, adds further pressure. Yet regulation is outpacing implementation. Gallagher's 2026 survey found that 63% of organisations have operationalised AI systems, but fewer than 47% have formal risk management frameworks, incident response plans, or ethical impact assessments. June 2026 evidence quantifies the enforcement crisis more sharply: 40–65% of enterprise employees use unapproved AI tools, with 47% entering sensitive data via personal accounts; 13% of organisations experienced a breach directly from unauthorised AI use; 62% of Canadian SMBs deployed AI without written governance frameworks, and 41% of those reported AI-related incidents. Shadow AI now costs organisations an average $670k additional breach expenses and is the third most common insider threat (up 4x year-over-year). Critically, CSA research shows that when organisations provision sanctioned AI tools paired with acceptable-use frameworks, unauthorised use drops by 89%, providing direct evidence of AUP effectiveness at scale.
The critical barrier is no longer policy creation but policy enforcement architecture. Grant Thornton's June 2026 survey of 950 executives found 78% lack confidence they could pass an AI audit within 90 days, and 46% cite governance or compliance barriers as the top factor in AI project failure. Uniform AUPs are proving inadequate: CSA research identifies a power-user blind spot — the top 5% of enterprise users generate 10x the AI conversation volume and handle sensitive data disproportionately, yet standard policies treat all users identically. The fundamental problem is multifaceted: user-layer policies alone fail when data-layer enforcement is absent; static AUPs cannot adapt as AI integrates into existing enterprise platforms; and periodic compliance audits miss continuous drift in policy enforcement. Organisations must now address agentic AI governance explicitly — only 7% currently have policies specific to autonomous systems despite 40% projected agent adoption — and implement system-level enforcement rather than documentation-only approaches. The CFO-driven governance shift is accelerating: enterprises are cutting AI spend by 25% due to ROI scrutiny, implementing per-user spending caps, and demanding governance discipline before funding additional deployments. Those that treat AUP development as continuous, system-level enforcement integrated with data architecture are scaling confidently; those treating it as one-time documentation risk both regulatory exposure and uncontrolled shadow AI use.
The vendor ecosystem has matured accordingly. Credo AI leads Forrester's Wave for AI governance with production deployments across Fortune 100 firms; Microsoft holds ISO 42001 certification for Copilot; and the Credo AI-Carahsoft partnership has opened governance tooling to U.S. public-sector procurement. Gartner projects the governance-tooling market will grow from $309M to $4.8B by 2034. May 2026 maturity frameworks (SANS AI Security Maturity Model, Cloud Security Alliance AISMM) identify policy development as the critical organisational bottleneck: "Employees use AI tools faster than security teams write policy" and "Agent pilots are greenlit while security is still drafting acceptable use policies." But tooling alone does not close the gap. In the public sector, 70% of civil servants use AI while only 18% consider their government's governance effective. Enterprise governance roles remain scarce at smaller firms — 36% have them, compared with 59% at large enterprises. The result is a sharply bifurcated landscape: well-resourced organisations operationalising standards-aligned governance with measurable efficiency gains, while mainstream firms remain caught between policy awareness and operational enforcement — a challenge amplified by the fact that runtime enforcement (detecting and blocking unauthorised AI use at the point of data access) requires architectural investment beyond written policy.
— Grant Thornton survey (950 executives): 78% lack confidence in audit readiness; 46% cite governance/compliance as top AI project failure barrier; only 20% have tested incident response playbooks.
— CFO-driven governance shift: major tech company spent $500M monthly without usage controls; 25% of planned AI spend postponed due to ROI scrutiny; usage policies and consumption governance emerging as standard practice.
— Agentic AI governance gap: only 7% have agentic-specific policies despite 40% projected adoption; AUPs must address ownership clarity, delegation traceability, and runtime monitoring for autonomous systems.
— Practitioners identify point-in-time audits as inadequate; EU AI Act Article 12 requires continuous logging for traceability; AUPs must be designed for system-level enforcement generating evidence on every interaction, not periodic review.
— CSA research: only 37% have AI policies despite 80% employee use; provisioning sanctioned tools with AUPs reduces unauthorized use by 89%; shadow AI breaches cost $670k premium, establishing business case for AUP deployment.
— CSA analysis: 2,182 state-level AI bills create conflicting governance requirements; Colorado's SB 24-205 repeal illustrates planning risk; AUP compliance costs $50-500k/year per organization in fragmented landscape.
— CSA research identifies critical AUP design failure: uniform policies don't differentiate risk tiers; top 5% of users generate 144x conversation depth; proposes four-tier governance framework tied to actual risk distribution.
— Verizon DBIR 2026: 67% use non-corporate accounts, 45% regular users (up 3x); shadow AI #3 insider threat; CSA recommends treating AI governance as access control with inventory, least-privilege, and AUPs as operational governance.
2023-H1: Emergence of corporate AI acceptable use policies driven by ChatGPT adoption and data privacy concerns. Legal firms publish policy templates; educational institutions lead sectoral adoption. Fewer than 50% of organisations have formal AI governance; surveys show strong demand for policy guidance and human oversight mechanisms. Multiple governance frameworks (ISO 42001, NIST AI RMF) published to support policy development. Real-world deployment failures (cybersecurity, IP leakage, accuracy issues) underscore policy necessity.
2023-H2: Critical adoption-policy gap widens: 56-88% of employees use GenAI but only 8-28% of organisations have formal policies, with educational sector most immature (8% adoption). ISO/IEC 42001 published as first international AI management standard; however, awareness and implementation capacity remain limited. Security risks (misinformation, unauthorised use, IP leakage) drive urgency. Policy development remains concentrated in well-resourced and regulated sectors; mainstream adoption blocked by skills gaps and uncertainty about enforcement mechanisms.
2024-Q1: Regulatory pressure increases with DOJ mandate to assess AI risks in corporate compliance programmes, signalling enforcement implications. Sectoral gaps persist: 79% of K-12 schools still lack clear policies. Board-level engagement remains weak (12% have held substantive AI discussions). Vendor ecosystem matures with Credo AI GRC platform launch; practitioner frameworks evolve linking NIST standards to policy development. Critical assessments of governance gaps (Amnesty International) highlight human rights blindspots. Overall adoption trajectory remains slow despite regulatory momentum.
2024-Q2: Federal government mandates AI governance across agencies (OMB M-24-10), creating procurement leverage for policy adoption including chief AI officers and use-case inventories. Vendor ecosystem consolidates towards sector-specific controls frameworks (IBM Financial Services) and practical guidance (Google Cloud). Practitioner frameworks standardise around governance: ITIF publishes policy-response taxonomy; IAPP/FTI release maturity assessments. Industry surveys document persistent governance gaps—adoption outpaces implementation—despite regulatory acceleration and maturing vendor tooling. Sectoral disparities persist; adoption-policy misalignment remains structural barrier to maturity.
2024-Q3: ISO 42001 ecosystem matures with 15 accredited certification bodies by August, signalling standardization progress. Vendor tools consolidate with Credo AI governance advisory services and Google/Microsoft content filtering suites. Higher education adoption remains weak: 31% of college students uncertain about AI policies, only 16% cite institutional guidance. Critical enforcement gap emerges: 80% of organisations deploy guidelines but 60% of employees bypass them, highlighting need for compliance mechanisms beyond policy documents. Practitioner guidance advances with sector-specific frameworks (PRSA PR, compliance consultancies), but shadow AI and non-compliance remain systemic challenges.
2024-Q4: Regulatory enforcement deepens: DOJ updates compliance guidance to explicitly require AI risk assessment and governance integration, creating concrete compliance program implications. C-suite policy adoption accelerates: 44% of executives report organisational GenAI policies (4.4x growth from 2023). Functional area fragmentation emerges: only 60% of HR departments have AUPs despite 94% of HR professionals using AI. Enterprise governance gaps persist: Deloitte survey shows 58% deployment of GenAI but 21–41% have zero controls; only 47% confident in governance adaptation. Critical practitioner assessment: academics highlight platform-integration challenge—AI policies designed for standalone tools become obsolete as AI embeds into existing platforms (Adobe, Google, Microsoft), requiring architectural shift in policy design. Standards ecosystem matures with ISO 42001 certification availability, but adoption remains concentrated in regulated sectors.
2025-Q1: Policy adoption accelerates globally with board-level engagement rising (Glass Lewis: 40% of European large-caps have formal policies), but implementation deficits widen. Pacific AI survey quantifies the gap: 75% report having policies but only 59% have governance roles; Boardspan shows boards self-grade AI oversight at C-, lowest-scoring governance topic. Negative-signal evidence dominates: 63% lack adequate governance frameworks, with major failures averaging $4.2M in costs. Large enterprises operationalize governance at scale (IBM case study: 58–62% reduction in data clearance times across 1000+ datasets). Platform-integration challenge continues as policies designed for standalone tools become obsolete amid AI embedding into enterprise platforms (Adobe, Google Workspace, Microsoft 365). Landscape bifurcates: regulated sectors and well-resourced enterprises advance maturity; mainstream organizations trapped in policy-implementation gap.
2025-Q2: Vendor ecosystem matures with standards alignment: Microsoft achieves ISO/IEC 42001 certification for Copilot (April); Credo AI/IBM integrate policy automation into watsonx.governance (April). Functional area fragmentation worsens: marketing teams show 63% lack policies; only 27% of organizations review AI-generated outputs before use. Governance process maturity remains low: only 23% have standardized AI intake processes, 36% use manual spreadsheets. Pacific AI survey (June) reconfirms gap: 75% have policies but 59% lack governance roles, 54% lack incident response. Adoption barriers persist (Deloitte): compliance and regulatory requirements impede AI deployment despite policy availability. Platform-integration challenge continues: standalone-tool policies becoming obsolete as AI embeds into enterprise platforms. Bifurcated landscape deepens: enterprises with standards-aligned governance advance; mainstream organizations lag in implementation despite high policy awareness.
2025-Q3: Governance tool ecosystem accelerates: Credo AI named Forrester Wave leader with highest marks in AI policy management and compliance workflows; enterprise adoption spreads across Fortune 100 financial services, restaurant, and MedTech sectors. Healthcare and specialized vendors operationalize production-level AUPs (John Snow Labs: risk-based prohibited uses with cross-functional governance). Comprehensive synthesis of Q3 studies documents persistent maturity crisis: 93% of companies use AI but only 7% have fully embedded governance frameworks; 72% lack company-wide responsible use policies; 62% lack documented governance plans. Governance execution remains severely constrained: only 30% have production AI systems deployed, 48% lack monitoring, pressure to move fast remains top barrier. Small enterprises drastically lag large firms in governance capability (36% have governance roles vs. 59%+ at large enterprises). Negative-signal dominance continues: governance tool adoption and policy automation accelerating in sophisticated enterprises while mainstream organizations remain trapped in policy-implementation gap, with deep chasm between stated policies and operational capacity.
2025-Q4: Enterprise AI adoption accelerates to 80% while governance implementation lags sharply: 78% use AI but only 25% have fully implemented governance programs. Board-level engagement remains structurally weak (32% have AI committees, 12% have risk frameworks). Compliance function under acute time pressure: 47% of compliance leaders cite time as barrier despite regulatory mandates. Vendor ecosystem signals strong market growth: Gartner projects $309M (2025) to $4.8B (2034) market expansion; Credo AI reports 150% customer growth with 70% faster use-case reviews. Negative evidence dominates: 97% of orgs with AI breaches lacked access controls; 63% lack formal AUPs despite deployment; critical governance failures documented in ethics research. Process maturity remains low: only 23% have standardized intake processes, 36% use manual spreadsheets. Capability gap widens: governance role adoption 36% at SMEs vs. 59%+ at large firms. Bifurcated landscape deepens into year-end: well-resourced enterprises operationalizing standards-aligned governance with measurable ROI; mainstream organizations with nominal policies but sparse operational enforcement.
2026-Jan: U.S. state AI laws become effective January 1 (CA Transparency Act, TX Responsible AI Act, IL employment discrimination rules), creating immediate AUP compliance drivers. Regulatory environment converges toward 'governance beyond principles to practice' with Hiroshima Global Forum signaling shift to operational standards (AI Safety Institutes as coordination nodes, continuous governance for agentic systems). ISO 42001 ecosystem reports surge in organizational interest; Schellman audit firm documents steady stream of AUP preparation questions from enterprises building formal governance programs. Public sector adoption expands: Credo AI-Carahsoft partnership makes governance tooling available to federal/state/local agencies via procurement vehicles. Industry analysis confirms pilot-to-production gap stems from governance confidence, not model limitations, driving rapid enterprise spending shift to GRC capabilities and dedicated roles. IE University framework standardizes seven core AUP components (inventory, risk classification, ownership, lifecycle controls, documentation, monitoring, auditability), providing operational blueprint for organizations in preparation phase. Structural bifurcation persists: sophisticated enterprises operationalizing standards-aligned governance with measurable efficiency gains; mainstream and SME organizations remain constrained by policy-implementation gaps and sparse enforcement capacity.
2026-Feb: Regulatory environment and policy formalization accelerate: Gartner projects 80% of organizations will formalize AI policies by 2026; Insentra reports steady policy adoption momentum. Gallagher survey documents paradox—63% operationalized AI but less than 47% have formal risk frameworks, incident response, or ethical assessments. Public sector governance gaps widen: 70% of civil servants use AI but only 18% rate government governance effective, indicating enforcement failures despite adoption. Shadow AI remains endemic at scale: 80% of workers use unapproved tools. Governance-innovation gap persists as critical barrier: 83% of AI leaders express major concern about governance, but only 26% advance beyond pilot stage, pointing to confidence deficits rather than capability constraints. Platform-integration challenge continues as AUPs become obsolete amid AI embedding into enterprise systems (Adobe, Google Workspace, Microsoft). Bifurcated landscape deepens: well-resourced and regulated sectors operationalize ISO-aligned governance with dedicated roles and measurable efficiency; mainstream and SME organizations trapped in policy-awareness-to-implementation gap with weak enforcement mechanisms.
2026-Apr: Sector expansion accelerates: Wisconsin's Department of Public Instruction published detailed K-12 AUP frameworks and Airbnb operationalized a platform-wide AUP banning AI-generated damage-claim evidence across 12M+ listings, demonstrating enforcement at scale. Irish financial-services firms reported governance framework adoption doubled year-over-year to 16%; Harvard Law School issued board-level guidance integrating AUP development into compliance obligations for regulated sectors. The adoption-implementation gap persists: a multi-country survey of 6,500+ respondents shows 65% AI adoption but 58% lack security/privacy training, 57% of US SMEs use AI while 77% lack a formal AUP, and iManage's global benchmark of 85% organizational AI adoption found 36% experiencing policy violations — confirming that policy existence continues to lag far behind enforcement capacity.
2026-May: Critical enforcement and architecture gaps dominate new evidence: AAA-ICDR benchmark of 500 senior executives shows 87% have formal AUPs but only 22% judge their governance effective; 20% report significant policy-practice gaps. Shadow AI crisis becomes quantified: 40–65% use unapproved tools, 47% via personal accounts with sensitive data, 13% of firms experience breaches from unauthorized AI use; shadow AI incidents cost $670k additional per breach. Canadian SMB data shows 62% deployed AI without written frameworks; 41% subsequently reported incidents. Maturity frameworks (SANS, CSA AISMM) identify policy-writing lag as critical bottleneck: "Employees use tools faster than security writes policies." Consensus emerges that policy-only governance fails without runtime enforcement at data and model layers. Architectural gap identified as mandatory: organizations must evolve beyond static AUPs to continuous policy enforcement integrated into enterprise data architecture.
2026-Jun: CFO-driven governance pressure intensifies: one major technology company spent $500M monthly without usage controls, and 25% of planned AI spend is being postponed as ROI scrutiny drives demand for consumption governance and per-user spending caps. The agentic policy gap sharpens further — only 7% of organizations have autonomous-agent-specific AUPs despite 40% projected agentic adoption — while Grant Thornton's survey of 950 executives found 78% lack confidence in audit readiness and 46% cite governance or compliance as the primary barrier to AI project success.